Author Topic: Yet another Tonghui TH2822A LCR meter review in pictures  (Read 34335 times)

0 Members and 1 Guest are viewing this topic.

Offline valentinc

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ro
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #25 on: April 17, 2013, 11:58:06 pm »
    I think I figured out most of it ... The 165Z that appears at almost every read is probably some adress... it hasn't have any meaning for our purpose that's for sure :)

    I attached an xls with the comments

    I'll try to get a USB logic analyzer from a friend of mine to capture the data in my Tonghui and compare ...

    And I'm not sure that the content that transfers at boot is all the content in the EEPROM, it should be, but who knows, until I desolder the chip and put in on an EEPROM programmer and read it I can't be 100% sure. But I'll need a EEPROM programmer to do the hack anyway, so probably I'll get one from ebay.
« Last Edit: April 18, 2013, 12:05:36 am by valentinc »
Valentin
 

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2045
  • Country: us
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #26 on: April 18, 2013, 02:20:10 am »
That converted to ASCII makes much more sense. The 0's at the end of certain read commands are the null terminators for strings in C.

Good job on the color coding, I was thinking of doing that myself.
 

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2045
  • Country: us
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #27 on: April 18, 2013, 02:35:46 am »
I reckon the model information must be either '165' Z or the configuration bits. One explanation for the continuous reading of the model info might be to have some sort of confirmation every time the software passes though certain point that the LCR model is this or that. Maybe the MCU has the model number on its EEPROM as well to make it secure and they are constantly compared?  :-//

Might be worth it to mess with the configuration bits.

For some reason the MCU writes on the EEPROM a (ascending) numerical value for each packet and a second byte following that which to me appears random but must have some logic behind.

Have you found any evidence of a checksum anywhere? If not, I think a hack might be very easy on this one.
 

Offline valentinc

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ro
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #28 on: April 19, 2013, 12:16:55 pm »
   There isn't any obvious evidence of a checksum...

   Probably next week I can get a logic analyzer and sniff the packets of my TH2822 and compare them.

 
Valentin
 

Offline reagleTopic starter

  • Supporter
  • ****
  • Posts: 554
  • Country: us
    • KuzyaTech
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #29 on: April 20, 2013, 12:23:27 am »
Almost forgot- here is a Saelea Logic data file. You can use their software standalone without the analyzer to view it. Remove .txt at the end

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2045
  • Country: us
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #30 on: April 20, 2013, 12:37:40 am »
Almost forgot- here is a Saelea Logic data file. You can use their software standalone without the analyzer to view it. Remove .txt at the end

Good, good. Checking it out right now.  :-DMM
 

Offline reagleTopic starter

  • Supporter
  • ****
  • Posts: 554
  • Country: us
    • KuzyaTech
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #31 on: April 20, 2013, 02:56:14 am »
And here is my analysis in an excel file. I looked at a combination of binary/HEX/ASCII.
0xA5 0x5A is just asking to be a marker of a packet beginning and end
Everything else is basically a bunch of reads, and I think most are actually returning binary data, and only the first string with version is in ascii.
So we could create a memory map of sorts, based on these addresses. But it would definitely help if we had captures from a few more units.
I do wonder why did they use a 64kb part to store this little data.


« Last Edit: April 20, 2013, 03:17:47 am by reagle »
 

Offline ivan747

  • Super Contributor
  • ***
  • Posts: 2045
  • Country: us
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #32 on: April 21, 2013, 12:59:04 am »
I do wonder why did they use a 64kb part to store this little data.

Reading the actual EEPROM could shine some light into that. Maybe they already used that part on different tools. It's common to do that to reduce stock variety, for example. Is the firmware upgradable? Maybe they are planning ahead. I

Or it could be used for datalogging but that got cancelled or is available in higher end models.
 

Offline valentinc

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ro
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #33 on: April 21, 2013, 10:49:09 am »
Quote
Is the firmware upgradable?

Yes, the firmware is upgradable, they say that in the user manual. But on the other hand it's Tonghui have not offered any firmware upgrade since they released the product...

Quote
Everything else is basically a bunch of reads, and I think most are actually returning binary data, and only the first string with version is in ascii.

I think 030 after VER 2.1.11 may be the model number.

Quote
But it would definitely help if we had captures from a few more units.

I'll see what I can do next week about that... As is said, unfortunately, I personally don't have a logic analyzer in my lab...
« Last Edit: April 21, 2013, 10:51:34 am by valentinc »
Valentin
 

Offline reagleTopic starter

  • Supporter
  • ****
  • Posts: 554
  • Country: us
    • KuzyaTech
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #34 on: April 22, 2013, 02:18:46 pm »
I have access to Logic 16 one, but what I need to do is just hook up Bus Pirate and do a continuous read. Time's been a bit of a problem, but will try to get to it in the next few days

Offline reagleTopic starter

  • Supporter
  • ****
  • Posts: 554
  • Country: us
    • KuzyaTech
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #35 on: April 23, 2013, 02:58:32 am »
I tried using Bus Pirate but with  no luck. I can sniff the bus on boot and get the same data as with Logic 16, but I can not talk to the chip. I wonder if somehow the bus is held high- not really an I2C compliant thing if I am not mistaken.
 I've tested it on standalone EEPROMs and the ones on an old VGA monitor boards and was able to read them just fine : Basically switch to I2C mode, do a discovery scan (1), then set address to all 0: [0xA0 0 0], followed by a read [0xA1 r:100]
On the above chips it works fine, on the one inside the meter I just get NACks on everything and bus scan returns nothing. Looking at the bus with a  logic analyzer probes from my scope, I don't see lines wiggle when bus pirate tries to drive them. Weird  ???

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #36 on: July 26, 2013, 05:07:21 am »
I found my probe pcb edge connectors were corroding or something, very bad quality gold pating on them, when measuring I had poor results, rather unstable and not repetitive.


So I decided to install custom 4-wire bananna connectors, note that I inserted spacers between the plates of the connectors to disconnect them from each other:


And convert my 2 probes to this probe system of 4-wire + guard connection:


Now the measurements are much more stable and repetitive than before, I regret not doing tests (and record them!) before and after the modding, but I am sure that the stability is very much improoved

I want to start researching to hack it to 100kHz, but I can't find a datasheet for the eeprom:


Any advise on where to find it?

I think I've read somewhere that this EEPROM is write protected, is it true?

I have a Saleae logic analyzer to read the data flow and a BusPirate to read/write the EEPROM, but how can we get a TH2822C (100kHz) EEPROM readout to try to find if there's a magic bit (or bits) to flip?

Regards!
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #37 on: July 27, 2013, 06:44:35 am »
Here's the Saleae sniffing of the I2C comms:
CH0: SCL
CH1: SDA
CH2: Write Protect Pin



I attached the *.logicdata file, download the Saleae application to open it: http://www.saleae.com/downloads
« Last Edit: July 27, 2013, 06:48:30 am by carloscuev »
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #38 on: July 27, 2013, 08:40:57 am »
Additionally I have found that the MCU reads or writes the EEPROM in this cases:

Switching Frequency from 10k to 100:
Read @0x0164: A5 5A
Read @0x0166: 16 DC 33 4D D2 FF 5B CE
Read @0x0578: A5 5A
Read @0x057A: 8F F3 A0 3D 02 36 AD 3E
Read @0x0964: A5 5A
Read @0x0966: D9 08 80 3F 36 FA C1 3A

Switching Frequency from 100 to 120:
Read @0x0196: A5 5A
Read @0x0198: 94 27 BA 4D 4F CA B2 CE
Read @0x05AA: A5 5A
Read @0x05AC: AB AD 92 3D 60 35 81 3E
Read @0x0996: A5 5A
Read @0x0998: 20 0C 80 3F 49 4D DC 3A

Switching Frequency from 120 to 1k:
Read @0x025E: A5 5A
Read @0x0260: 32 AF AA 49 0C 71 DF CC
Read @0x0672: A5 5A
Read @0x0674: 38 88 34 3D 75 DC E7 3C
Read @0x0A5E: A5 5A
Read @0x0A60: 85 08 80 3F 61 C4 3E 3C

Switching Frequency from 1k to 10k:
Read @0x0326: A5 5A
Read @0x0328: 3A 9D BF 49 9C 23 3A CB
Read @0x073A: A5 5A
Read @0x073C: C8 9A 21 3D 02 39 35 3C
Read @0x0B26: A5 5A
Read @0x0B28: 03 AB 7E 3F 8E 2B 33 3D

Exiting UTIL menu with Power-Up setting as Previous
Write @0x0040: A5
Write @0x0041: 5A
Write @0x0042: 00
Write @0x0043: 00 (Beep, 0: Off, 1: On)
Write @0x0044: 02 (Auto-Off, 0: off,1: 5min, 2: 15min, etc.)
Write @0x0045: 00
Write @0x0046: 00
Write @0x0047: 00

Exiting UTIL menu with Power-Up setting as "Set"
Write @0x0040: A5
Write @0x0041: 5A
Write @0x0042: 00
Write @0x0043: 00 (Beep, 0: Off, 1: On)
Write @0x0044: 02 (Auto-Off, 0: off,1: 5min, 2: 15min, etc.)
Write @0x0045: 00
Write @0x0046: 00
Write @0x0047: 00
(and then)
Write @0x0050: A5
Write @0x0051: 5A
Write @0x0052: 01 (Mode, 00: L, 01: C, 02: R, 03: Z)
Write @0x0053: 0E (Sec. Display, 11: Frequency, 0E: ESR, etc. )
Write @0x0054: 0B (Frecuency, 0B: 10kHz, 07: 1kHz, 03: 120Hz, 02: 100Hz)
Write @0x0055: 00
Write @0x0056: 00
Write @0x0057: 00
Write @0x0058: 00
Write @0x0059: 00
Write @0x005A: 00
Write @0x005B: 00
Write @0x005C: 00 (??, 00: L, 01: CRZ)
Write @0x005D: 00
Write @0x005E: 00
Write @0x005F: 00
Write @0x0060: 00
Write @0x0061: 00
Write @0x0062: 00
Write @0x0063: 00 (01: AUTO, 00: otherwise)

So we can see that the EEPROM address 0x0040 to 0x0047 are used to store settings from the UTIL menu, that 0x0050 to 0x0063 is for the power-on state, and that for each frequency selection a new set of data is read, maybe calibration data?

This also gives more sense to what's happening on power on:

1. Power ON with AUTO (1kHz) power-on state:

[1st Block]
Read @0x0000: A5 5A
Read @0x0030: 56 45 52 32 2E 31 2E 31 31 30 33 00 ("VER2.1.1103\0")
Read @0x0040: A5 5A
Read @0x0040: A5 5A 00 00 02 00 00 00 (Beep, Auto-Off settings and maybe something else)
Read @0x0050: A5 5A
Read @0x0050: A5 5A 02 0D 07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 01 (20 bytes, Power-up state)

[2nd Block]
(5 ms later, no idea what this is yet but depends on the power-up frecuency)
Read @0x0272: A5 5A
Read @0x0274: AA 73 CF 4B 35 BA 1B 4C
Read @0x067C: A5 5A
Read @0x067E: C3 F0 D1 3A A9 E0 87 3A
Read @0x0A7C: A5 5A
Read @0x0A7E: 96 E5 7F 3F 82 8F AF 38

[3rd Block]
(60 ms later, Read the presumably 1kHz cal data)
Read @0x025E: A5 5A
Read @0x0260: 32 AF AA 49 0C 71 DF CC
Read @0x0672: A5 5A
Read @0x0674: 38 88 34 3D 75 DC E7 3C
Read @0x0A5E: A5 5A
Read @0x0A60: 85 08 80 3F 61 C4 3E 3C


2. Power ON with Inductance at 10kHz power-on state:

[1st Block]
Read @0x0000: A5 5A
Read @0x0030: 56 45 52 32 2E 31 2E 31 31 30 33 00 ("VER2.1.1103\0")
Read @0x0040: A5 5A
Read @0x0040: A5 5A 00 00 02 00 00 00 (Beep, Auto-Off settings and maybe something else)
Read @0x0050: A5 5A
Read @0x0050: A5 5A 00 11 0B 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  (20 bytes, Power-up state)

[2nd Block]
(5 ms later, no idea what this is yet but depends on the power-up frecuency)
Read @0x033A: A5 5A
Read @0x033C: 73 B6 27 CA 00 EE 32 CB
Read @0x0744: A5 5A
Read @0x0746: A2 57 CA BA B6 DC 1C BA
Read @0x0B44: A5 5A
Read @0x0B46: 12 D9 7F 3F 03 6B A4 3A

[3rd Block]
(60 ms later, Read the presumably 10kHz cal data)
Read @0x0326: A5 5A
Read @0x0328: 3A 9D BF 49 9C 23 3A CB
Read @0x073A: A5 5A
Read @0x073C: C8 9A 21 3D 02 39 35 3C
Read @0x0B26: A5 5A
Read @0x0B28: 03 AB 7E 3F 8E 2B 33 3D

The 3rd block depends on the power-up frequency and is the same data that is read when changing frequency on the fly. No problem with this.

What's strange is that the 2nd block also depends on the power-up frequency and in fact is near the presumable cal data for that frecuency, but when changing frequency it is not read again, just on power-on. This may be a cal complement, but strangely is not read when changing frequencies.

Other strange thing is that in reagle's case, the 0x0050 read was 0xFF 0xFF and in my case are 20 bytes with the power-up state.

The most interesting part so far is the EEPROM Address 0x0054 which determines the power-up frecuency, so far I know the values for 100Hz, 120Hz, 1kHz and 10kHz (0x0B: 10kHz, 0x07: 1kHz, 0x03: 120Hz, 0x02: 100Hz) and taking into account that from 120Hz it's ascending by 4, 100kHz must be 0x0F

Next Step: Write 0x0F at address 0x0054 on EEPROM, power on, sniff all the way and watch what happens.
« Last Edit: July 27, 2013, 11:43:20 am by carloscuev »
 

Offline vtl

  • Regular Contributor
  • *
  • Posts: 136
  • Country: au
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #39 on: July 29, 2013, 10:16:04 am »
Very interesting thread here!

I had attached my EEPROM dump to my review thread but thought it might be good to keep all the hacking data in this thread

You have attached I2C dumps on frequency changes for all the transitions, but have you got the transition between 10KHz and 100Hz?

Asking this because I am wondering if it attempts to read the cal data from 100KHz, detecting it is blank, and them simply cycling back to 100Hz. If this is the case we should see an attempt to read location 0x326+0xC8=0x3EE

Another thing to attempt is to default our power up settings and then compare the binaries between models. It is possible the model differentiation is buried somewhere in the powerup settings

I wonder what happens if we simply change the hardware string? The Rigol hack is based on changing the model number also.

Only downside I can see to hacking the instrument is that we have no idea of the format of the cal values. The best you could do is copy someone elses cal values and hope their production process is consistent enough between boards.
« Last Edit: July 29, 2013, 10:20:36 am by vtl »
 

Offline vtl

  • Regular Contributor
  • *
  • Posts: 136
  • Country: au
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #40 on: July 30, 2013, 10:55:00 am »
I copied across the sections that were missing from my eeprom (presumably cal data) from the posts above

I can confirm changing the powerup settings does indeed work and my TH2822 (1KHz model) powered up with a 10KHz signal (confirmed on scope)

The only downside is that cycling through the frequencies with the button you cannot select 10KHz after leaving that mode and you must reboot the meter to get 10KHz again.

Would really be handy to have a full memory dump of a 2822A and a 2822C to see all of the differences rather than seeing small snippets of blocks

EDIT: Also works for 100KHz frequency by changing address 0x54 to 0xF, even though I have no cal data present
« Last Edit: July 30, 2013, 10:59:14 am by vtl »
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #41 on: July 30, 2013, 11:39:49 am »
Yes! the semi-hack works. I'm powering-on my 10khz model at 100khz!





Frecuency confirmed in DSO as shown. I'll further investigate. I'm painfully using a bus pirate but I'll dump my whole EEPROM and post it here ASAP (1 or 2 horus) !

VTL, could you post Hi-Res pictures of your PCB? I want to compare if there's some resistor value difference, model selection could be a voltage divider because I haven't figured out yet any magic bit in the accessed EEPROM data at power-up that differenciates your model from mine.
« Last Edit: July 30, 2013, 11:45:21 am by carloscuev »
 

Offline vtl

  • Regular Contributor
  • *
  • Posts: 136
  • Country: au
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #42 on: July 30, 2013, 11:58:52 am »
I compared the above pictures of the 2822A and all the resistors connected to the MSP430 are identical to my board.

If there was model identification data it would most certainly be read during the powerup reads. I have copied all of your powerup data blocks and it doesn't appear to have any effect. Most likely the data is stored in the MSP430. If I could be bothered I might try plugging the jtag at work but most likely it will have code read protection on the MCU
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #43 on: July 30, 2013, 12:30:41 pm »
Here's my meter's eeprom dump, could you try it in yours?
 

Offline vtl

  • Regular Contributor
  • *
  • Posts: 136
  • Country: au
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #44 on: July 30, 2013, 12:49:52 pm »
Just tried it, unfortunately doesn't turn it into a 2822A
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #45 on: July 30, 2013, 01:03:17 pm »
Just tried it, unfortunately doesn't turn it into a 2822A
There's lots of bytes in the 0x0050 block that may be some model-set flags which then get resetted in EEPROM, just trying to think alternatives.

I found that when powerting up, if the meter doesn't find cal data (or whatever it is) it retries:

When Powering On at 100kHz hack mode:

[1st Block]
Read @0x0000: A5 5A
Read @0x0030: 56 45 52 32 2E 31 2E 31 31 30 33 00 ("VER2.1.1103\0")
Read @0x0040: A5 5A
Read @0x0040: A5 5A 00 00 02 00 00 00 (Beep, Auto-Off settings and maybe something else)
Read @0x0050: A5 5A
Read @0x0050: A5 5A 00 11 0F 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  (20 bytes, Power-up state)

[2nd Block]
(0.18 ms later, strangely this second block now appears continuous to the first)
Read @0x03F8 FF FF
Read @0x0802 FF FF
Read @0x0BF8 FF FF

[3rd Block]
(5.22 ms later)
Read @0x0402: FF FF
Read @0x080C: FF FF
Read @0x0C0C: FF FF

[4th Block]
(54.92 ms later retries the 2nd block)
Read @0x03F8 FF FF
Read @0x0802 FF FF
Read @0x0BF8 FF FF
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #46 on: July 30, 2013, 01:37:01 pm »
There's something different that happens when it powers up and find that the FW version is different, I'm analyzing the sniff data.
 

Offline vtl

  • Regular Contributor
  • *
  • Posts: 136
  • Country: au
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #47 on: July 31, 2013, 10:44:42 am »
http://kb.bkprecision.com/questions.php?questionid=182

This is interesting. Since Tonghui is the OEM of the 879B, the button presses to get it into firmware download mode is here.
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #48 on: July 31, 2013, 03:23:07 pm »
I've been playing a lot with the meter and the eeprom, so far I can list this findings:

1. Without eeprom, the meter boots fine, and measures "fine" I noticed that without the eeprom, there's more parasitic capacitance, inductance and resistance of the leads, but a simple CLEAR procedure yields the same measurements as having the eeprom, so the data read from eeprom may be just initial CLEAR data, overwritten when making a manual CLEAR procedure. Not entirely sure about that as I don not have any L, C or R references and also let's face it, the meter doesn't give highly repetitive results between reboots measuring a common passive.

2. The FW version and model displayed on boot screen are taken from the MCU, although there's that same info on eeprom. At boot, the meter reads the fw version string from eeprom, but if its not the correct one it writes 0xF0 to 0x0000 and 0x0F to 0x0001 on eeprom (normal value of this addresses is 0xA5 and 0x5A), as a flag so that in next reboot if that data is read it rewrites eeprom fw version and model strings with the correct ones. In fact I've tried different values than 0xF0 and 0x0F and the behaviour is the same, it triggers a rewrite of those strings on eeprom. I was hoping to find some values that trigger a write from eeprom to the mcu's internal memory, but couldn't find one.

3. There's a lot of "orphan data" on the eeprom that is not read in any operation mode, this data is next to the presumable cal data, couldn't find any mode that accesses it.
 

Offline carloscuev

  • Regular Contributor
  • *
  • Posts: 122
  • Country: mx
    • Spanish Freescale Developers Forum
Re: Yet another Tonghui TH2822A LCR meter review in pictures
« Reply #49 on: July 31, 2013, 03:25:34 pm »
http://kb.bkprecision.com/questions.php?questionid=182

This is interesting. Since Tonghui is the OEM of the 879B, the button presses to get it into firmware download mode is here.

It would also be interesting trying to load the BK firmware into a Tonghui, would you risk bricking yours loading the BK's 878B fw? Tough decision :P

EDIT: Even if firmware update goes well, the buttons would be messed up.
« Last Edit: July 31, 2013, 03:41:28 pm by carloscuev »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf